Did Russia Hack Macron? The Evidence Is Far From Conclusive

Security
I cover crime, privacy and security in digital and physical forms.

Leader of 'En Marche !' Emmanuel Macron addresses supporters after winning the French Presidential Election. Macron's campaign was the subject of a hack, leading to a leak of 9GB of email data. (Photo by David Ramos/Getty Images)

It looks like Russia, it smells like Russia, so it's probably Russia. So goes the current line of thinking in the security community as it tries to figure out who leaked reams of files pilfered from the campaign staff of the incoming French President Emmanuel Macron.

Take, for instance, FireEye, the cybersecurity firm credited with first identifying Democratic National Committee hackers known as APT28 and Fancy Bear as a Russian operation; that crew is now the number one suspect in the Macron attack, which saw data leaked Friday, just two days before the second round of the French election.

FireEye, as others have surmised, said the links between APT28 and the Macron hit are largely based on "TTPs" - tactics, techniques and procedures. The Macron attackers - from their phishing attempts to the public dissemination of data partly aided by Wikileaks' Twitter account - used many of the same TTPs associated with previous APT28 activity, said FireEye's head of cyberespionage intelligence John Hultquist.

There were also two IP addresses both hosted in Europe, which served up phishing sites targeted at Macron's En Marche campaign: onedrive-en-marche.fr and mail-en-marche.fr. Those sites, set up in March and April, were originally attributed by Trend Micro to Fancy Bear (which it dubbed Pawn Storm) before the leaks.

But Hultquist could only say the attack was "probably" carried out by APT28, a group the U.S. government claimed was run out of the Kremlin's chief spy division, the General Staff Main Intelligence Directorate (GRU). "This incident was widely anticipated and followed intrusion activity which was consistent with APT28," said Hultquist. He added, however, that "a marginal focus on operational security by this adversary could set back the ability to attribute their actions significantly."

While those phishing domains may have been used to hack Macron and supporters, there's no conclusive evidence showing either that they succeeded or they led to the leak. Put simply, there's no data tying Fancy Bear's known command and control domains to the En Marche breach.

CrowdStrike, which found plenty of evidence tying the allegedly Russian group known as Fancy Bear to the hack of the DNC, has found no technical links either after an initial viewing of the available evidence. (It qualified that it hadn't been able to carry out an extensive analysis).

Russia has previously denied any involvement in attacks on the U.S. election or other cyberespionage campaigns. The Kremlin had not responded to a request for comment on the claims it may have sponsored the Macron hack.

Cyrillic characters misleading?

There was another link to Russia in the dump. But it may be a red herring.

Cyrillic characters were uncovered in the metadata of leaked Macron files. It's unclear why they were present. Was it a slip up? Or a diversion? Impossible to say.

That metadata was present because the files were edited by a Russian language version of Microsoft Excel. It was apparent that a user named "Рошка Георгий Петрович/Roshka Georgy Petrovich" was responsible for half the edits, according to an analysis from AlienVault's Chris Doman. The company noted that this could've been false information planted by the hackers (the Macron campaign said the dump had fake data mixed in), a mistake by the hackers or that an innocent employee with that name was caught up in the hack.

And, Doman told me, he had not seen "anything definitive" linking the two phishing domains found by Trend Micro and the Macron dump, "though it seemed likely."

Muddying the waters even further is the fact that En Marche's digital lead Mounir Mahjoubi indicated to French press Macron's campaign may have put its own fake data on its servers as part of a "honeypot," set up to attract hackers and trick them into pilfering tagged data. Typically, honeypots are used as traps to track attackers' activities.

Mounir Mahjoubi appears to say here, and this is interesting, that several fakes that his team *itself* planted in honeypot inboxes. pic.twitter.com/ntb3GA1an0

I cover security and privacy for Forbes. I’ve been breaking news and writing features on these topics for major publications since 2010. As a freelancer, I worked for The Guardian, Vice Motherboard, Wired and BBC.com, amongst many others. I was named BT Security Journalist ...